The Sorry State Of Cybersecurity Awareness Training

Rules aren't really rules if breaking them has no consequences.

In today's dangerous cyberworld, corporations often say that cybersecurity is now a top priority for them, especially after all the massive data breaches we've been hearing about on a day-to-day basis. But one has to wonder, if that's case, why are so few companies doing cybersecurity training properly?

Sadly, the most common and detrimental thing that many companies are doing wrong when it comes to training employees on cybersecurity is a big one: they aren't doing it all.

Regardless of industry or company size, I've seen way too many companies that aren't implementing any sort of cybersecurity training, not even at employee orientation. It's also important to note that the companies that do implement security training, but only conduct it at new-hire orientation and then never mention it again, are not much better. Many companies fall into this category.

While employees are getting some sense of what to look out for when they receive training, the threat landscape changes so quickly that the information becomes obsolete within weeks or months and, without regular reminders, it's out of employees' minds quickly. In other words, the information is no longer top of mind.

Finally, very few companies are having regular cybersecurity training programs and refresher courses. I recommend companies do training updates once a month throughout the entire year, and I only know of a handful of companies that are actually doing this.

The next step after implementing a regular cybersecurity training program is to put in place policies and procedures to enforce what's learned. Again, I'm seeing almost no companies doing this, so employees aren't being held accountable for skirting proper procedures that would normally protect their company from different cyberthreats.

Results in the Real WorldThe longest it has ever taken for me to hack into a company's system remotely through tactics such as phishing emails is minutes. Usually, I'm already in the system 10 minutes after the phishing email has been sent. When doing on-site tests, if we properly cased the company (which a good hacker will), we are in within an hour. This is a clear illustration of the need for better cybersecurity training.

For example, at one social engineering engagement I performed at a large oil and gas company, I was able to get into the organization and gain full run of the computer network in under an hour, and no one stopped or questioned me. While they did have an information security training program in place, no one was enforcing the practices being taught. Because I could penetrate their network so quickly, the CIO had to be in the exit interview with me, though that was not the initial plan.

Another example is from a very large retailer. During the company's cybersecurity training process, I came in to do a social engineering test on the employees. The training should have been top of mind because the employees were currently going through it — the person who let me into the office even said that she was doing training at the moment and knew she was not supposed to let people in — but then she let me in anyway. I quickly gained access to the computer network once I was in the building, and there were no repercussions to the employees. This is a key example why there is much less likelihood that employees will be mindful of security practices that the company expects them to adhere to if there is no enforcement of the rules.

Simply put, there must be some sort of policy and enforcement in place for not adhering to security policies, such as a counseling session, but I see no companies doing this. Without enforcement, employees see the training as onerous. They simply ignore what they have learned, or don't take the training at all, claiming that they're too busy.

To be effective, companies need to stop treating cybersecurity training like a box to check off for compliance purposes and take it seriously. Once that happens, employees will take it seriously as well.

As the Chief Information Officer of Digital Defense, Tom DeSot is charged with developing and maintaining relationships with key industry and market regulators; functioning as the "face of DDI" through public speaking initiatives, identifying key integration and service ... View Full Bio

Great point! CyberTraining 365 is my recommendation for U.S. based companies. They're accredited and aligned with NICE (framework outlined by the National Institute of Standards and Technology) as well as accredited by EC-Council and partnerships with industry experts. They do both technical and awareness training. https://www.cybertraining365.com/cybertraining/Home

You are correct, the Board of Directors as well as senior management need to be held accountable as well. Unfortunately, this is a "top down" initiative and must have senior level support in order for it to be successful.

To be clear, I'm not suggesting that the only way that things can be done is by "flogging the peasantry", quite the contrary. What I'm suggesting is that companies place the same amount of emphasis on ensuring that information security training is taking place as they do, with say, their office supply policy. I've seen companies where an employee is taken to task for violating the office supply policy, yet when they don't complete their information security training, there's no consequence.

You are correct in that it needs to start at the top, because without C-Suite backing, the training program is more than likely going to falter and fail out of the gate. Further, if the employees see that there are no repercussions from senior management then, by proxy, they are given carte blanche to ignore the training.

You're right. It's about accountability. If the leaders don't hold themselves accountable, they can't expect the rest of the organization to. A top down approach is needed for a successful cyber security training program and proper implementation and practice of policy.

1) If something is everybody's job, it's nobody's job. If employees whose primary tasks are to answer telephones or to do data entry or construct marketing plans or whatever engage in a cybersecurity failing, while there should be some remediation, instead of flogging the peasants, I propose punishing the generals -- and calling the CIO/CISO/etc. on the carpet -- because, ultimately, it's their failing. If the front-line employees aren't properly trained and properly acting on that training, it's the trainers' fault and the fault of the people responsible for that training to begin with.

2) In a heavy-handed "flog-the-peasants" environment, employees -- even managers -- will be reluctant at best to come forward if they violate a policy that then results in a potential data compromise. Consequently, there needs to be appropriate policy for this that doesn't use the stick so much as the carrot. (I've written on this, for example, here: enterprisenetworkingplanet.com/netsysm/minimize-shadow-it-damage-by-encouraging-self-reporting.html ).

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.